The exemplary embodiment relates to a system and method for maintaining the privacy of personal information and finds particular application in connection with online services.
Most online (webserver) applications are not built to ensure protection of personal information. Several regulatory bodies, for example the European Union, are drafting regulations to require online service provides to explicitly ask users for the users' consent for use of the users' information. See, for example, “Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data,” European Commission (Jan. 25, 2012).
The privacy-by-design approach is a generic software engineering principle stating that in development of an online service, the protection of private data is to be considered as a feature from its initial design to implementation. In particular, the proposed EU regulation requires assuming that, when the privacy feature is not considered, data protection must be guaranteed at the most restrictive requirement possible. i.e., there should be no use of the data. This requirement is known as privacy by default. In other words, every record of the application containing information about a person is considered as private and cannot be communicated or used without explicit authorization of the owner of the data. This extreme requirement makes existing online businesses difficult to conduct since the existing software infrastructure often has not been developed with privacy guarantees in place.
A method and system are described which address the problems of integrating privacy requirements into an existing application.